The New Ransomware

Bill Crahen

April 2, 2015

Over the past two years we have seen a new type of security threat that has caught many individuals and companies off-guard and increasing concerns for the rest of us. In late 2013 we started seeing CryptoLocker, which we classify as Ransomware, it’s goal was to silently encrypt your files (documents, photos, CAD, etc.) and then when ready, prompt you to either pay a ransom for the decryption key or lose your data forever. It was bad enough that CryptoLocker encrypted your local files, but if you were on a corporate network it would go to work on those files as well. The only way to recover the data was to restore from backup, assuming your backups were good and that they went back far enough before the encryption, or pay the ransom. It is estimated that over 40% of victims paid the ransom and the thieves made over 3 million dollars.

The next version of ransomware has now started to show up and this time it’s not after your documents, but instead it’s after your corporate data. Compromised application servers are configured to silently encrypt your databases or even a single field or two in a database (to ensure performance isn’t affected or noticed) over a period of time, some cases are up to six months, and then at some point the encryption key is removed and the application crashes due to the now unreadable data. With such a long period of time you are faced with restoring and losing 6 months of data (again, if your backups go back that far) or pay the ransom.

For years we have relied on our antivirus and malware scanners to protect us and even though they were not perfect, they, along with another layer of security at our firewalls were pretty good at preventing malware. These are still extremely important tools for us to be using, but we need to start to think more about compromise detection in additional to prevention. Two important items to consider are file integrity monitoring (FIM) and enhancing our backup and recovery solutions. We consider FIM solutions as auditing tools and they are important for monitoring and quickly notifying us when an unauthorized change is made, allowing us to quickly investigate and remediate before weeks or months go by without notice. We also all have backup systems in place, but many systems are not tested on a frequent enough basis or our retention periods may need to be reviewed. The good news is that these solutions are both affordable and serve many purposes in addition to just malware detection.